Try it using Invoke-Atomic

Unsecured Credentials

Description from ATT&CK

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Atomic Tests

Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus

This atomic runs an API call GetPasswordData from a role that does not have permission to do so. This simulates an attacker attempting to retrieve RDP passwords on a high number of Windows EC2 instances. This atomic test leverages a tool called stratus-red-team built by DataDog (https://github.com/DataDog/stratus-red-team). Stratus Red Team is a self-contained binary. You can use it to easily detonate offensive attack techniques against a live cloud environment. Ref: https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/

Supported Platforms: linux,macos,iaas:aws

auto_generated_guid: a21118de-b11e-4ebd-b655-42f11142df0c

Inputs:

Name Description Type Default Value
stratus_path Path of stratus binary path $PathToAtomicsFolder/T1552/src
aws_region AWS region to detonate string us-west-2

Attack Commands: Run with sh!

1
2
3
4
5
6
7

export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.credential-access.ec2-get-password-data
echo "starting detonate"
./stratus detonate aws.credential-access.ec2-get-password-data --force

Cleanup Commands:

1
2
3
4
5
6

export AWS_REGION=#{aws_region}
echo "Cleanup detonation"
cd #{stratus_path}
./stratus cleanup --all
rm -rf stratus*

Dependencies: Run with sh!

Description: Stratus binary must be present at the (#{stratus_path}/stratus)

Check Prereq Commands:

1
2

if [ -f #{stratus_path}/stratus ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9

if [ "$(uname)" == "Darwin" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Darwin_x86_64 | cut -d '"' -f 4); wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
elif [ "$(expr substr $(uname) 1 5)" == "Linux" ]
then DOWNLOAD_URL=$(curl -s https://api.github.com/repos/DataDog/stratus-red-team/releases/latest | grep browser_download_url | grep Linux_x86_64 | cut -d '"' -f 4) 
  wget -q -O #{stratus_path}/stratus-red-team-latest.tar.gz $DOWNLOAD_URL
  tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/
fi

Description: Check if ~/.aws/credentials file has a default stanza is configured

Check Prereq Commands:

1
2

cat ~/.aws/credentials | grep "default"

Get Prereq Commands:

1
2

echo Please install the aws-cli and configure your AWS defult profile using: aws configure

source